I am a fellow at Harvard University’s Institute for Quantitative Social Science and author of "What Stays in Vegas: The World of Personal Data -- Lifeblood of Big Business -- and the End of Privacy as We Know It.” I am now researching the business of medical data. Please send story ideas and your experiences in the world of personal data to: book (at) whatstaysinvegas.us. On Twitter, follow me at DataCurtain. http://www.facebook.com/WhatStaysinVegas

This Credit Card Startup Has A Way To Thwart Target-Style Hacking

Look into the future a moment and imagine Christmas shopping 2014. TargetTarget offers a great deal on a perfect gift. At the register, you recall that someone stole 40 million credit card numbers from the retailer in late 2013. Then, you as flick your fingerprint across the front of the biometric reader of your new credit card, you smile, relaxed that your number will work just a single time and thus would be useless to steal from Target’s computer system.

That’s the new technology in development at Epic One, a Houston startup that will introduce its pilot credit cards with fingerprint reader and microprocessor inside later this year. It works, in essence, by offering a type of dual factor authentication, a second piece of information that confirms that you are who you claim to be before approving the transaction. The Epic One card never exposes your VisaVisa, MasterCardMasterCard, Amex or other cards to the network where most of the data hijacking occurs.

Inside of Epic One card that seeks to bar the kind of credit card fraud theft that occurred at Target.

When a shopper uses an Epic One card, his fingerprint scan on the card generates a green light on top that signals to the merchant it’s okay to swipe the card. Then the transaction is relayed to the card’s issuing bank and to Epic One. The only data Target sees is your Epic One card number plus the one-time use code. Even if someone hacks into the credit card processing system subsequently, the Epic One card number will not work a second time because the thief can’t generate a valid code to use it.

“The root cause of fraud is the exposure of this information,” says William Gomez Jr., the co-founder and CEO. “The Epic One card does not hold any details of any credit cards. Neither does the Epic One application that runs on your smartphone. None of these devices hold any of your credit card information. The Epic One card grants you temporary access to your cloud wallet that is stored within Epic One’s back-end systems.”

The Target breach has highlighted some pretty serious security weaknesses in the way U.S. businesses process credit card payments. Some experts have called for European-style “chip and PIN” technology as one possible way to boost security, although stores would need new credit card readers, an expensive process. Congress wants to get into the act as well and three senators this week called for a banking committee hearing. “As companies collect, store, and process ever-greater quantities of consumer data, they—and our regulators—must become even more vigilant against breaches and improper use,” Senators Robert Menendez, Mark Warner and Charles Schumer wrote.

Some aspects of the Target breach remain puzzling. A representative at HSBC, which Forbes lists as the nation’s seventh largest bank, told me that none of its credit cards were impacted. How were they spared but other cards stolen? A Target spokeswoman declined to comment, citing the “ongoing criminal and forensic investigation.”

Epic One has spent about $150,000 developing the technology – spare change in the world of startups – but it has come up with an interesting concept. To gain acceptance, it must get banks that issue credit cards to sign up. So far, a Kansas City bank is in discussion to run a pilot program, and Epic One is talking to banks in Houston, California and North Carolina to start issuing their cards later this year.

Gomez estimates it will cost $6 or $7 each to manufacture their new credit cards in bulk, far more than for a conventional slab of American ExpressAmerican Express or MasterCard plastic. But they work on the existing U.S. credit card infrastructure. He is hoping banks will agree to pay that cost, as well as a small fee to process transactions through Epic One, as a way to mitigate fraud.

A lot of companies are seeking to devise the credit card device of the future. Michigan company Protean later this year plans to introduce a smart card that would store data from all of your cards, as well as library cards and other cards with magnetic stripes on the back. The device, which users would buy, would not prevent a Target-style data breach initially as it transmits the same credit card data as your current card, although the two founders say they plan a 2.0 version with enhanced security features. Coin is also developing a smart card product, and Loop has a similar idea that works on smart phones.

Reducing the huge bundle of cards that many of us carry in our purses and wallets will be a welcome advance. The company that does all that and incorporates added security and privacy should emerge a long-term winner, whether for shopping at Target or anywhere else.

Post Your Comment

Post Your Reply

Forbes writers have the ability to call out member comments they find particularly interesting. Called-out comments are highlighted across the Forbes network. You'll be notified if your comment is called out.

Comments

Why not print certificates for your credit assets, and use THOSE to buy things. They could be printed in various denominations, so you don’t have to carry around a lot of them when inflation occurs. The government could even issue them… and they could be good for all transactions… Such a current innovation would stop the issue of stolen numbers and delete the middlemen, making incomes higher for small shopowners. Of course you might have to sell your stock in MasterCard and Visa and Discover..Maybe we could call it…….currency.

Your article is the first that has somewhat clarified the situation with Target’s and so many other breaches at companies. Too often the idea seems to be lost that the data has been stolen from a merchant’s system, not a credit card company’s and not in transmission of the sale. At root the breaches are a result of inadequate data security, not network security or really even card security/technology. It is because the merchants choose to capture and keep (ridiculously insecurely, quite frankly) the data from the consumer’s card.

Your article has clarified, for me anyway, the manner in which a more secure physical card could minimize the damage of a breach of merchant security. Essentially by denying the merchant the ability to store critical information in the first place. My remaining question is whether or not these new cards will work on-line or over the phone for purchasing…and by ‘work’ I mean does the security described here carry over to transactions where the card is not physically scanned – if so, how?

The virtual card number idea is already alive and well in online transactions. It’s just that only a few banks support it.

Typically you’ll log in to your card’s web site and click a button. It’ll give you a 1 time use card number, CVV, and expiration date. I believe BoA supports this.

You raise an interesting issue. Online and Swiped will always require somewhat different fraud mitigation strategies. The media kept mixing up the reporting saying that “CVVs” were lifted, but the online world was somewhat insulated to the Target breech because there are actually _2_ CVVs. One is printed in human-readable numbers, and the other on the magnetic strip. Target only leaked the magnetic strip CVV.

That’s all well and good, but if it adds _any_ steps to the checkout process it’s iffy or DOA in eCommerce. Anything that adds any steps in the conversion process is bad according to the Lords of eCommerce. It’s a bit easier to sell it to merchants with the liability shift because there’s a value proposition — not that chip and pin really addresses online transactions yet AFAIK.

I think one of the biggest issues here is Regulation E. Until banks and merchants get something out of it, anything that adds to the checkout process will perceived as a possible cost to anyone who crunches numbers. One extra step on all transactions could cost much more than what would be left after good screening.

You can make online purchases and recurring payments with E1. The details are heavy to describe in one breath but essentially it will become a 1 step process to make an online transaction while never exposing your information during the transaction. The same goes with recurring payments. If any one of the merchants get compromised, it wouldn’t matter because the thieves wouldn’t be able to use your compromised information anywhere.